I don't think it makes sense to use an AX attribute for the pseudonymous
identifier, since assertion will still contain the correlatable OpenID
identifier. It seems that the OP should return a unique RP-specific
OpenID in the response.
Breno's idea about using an identifier-less request is interesting, but
the RP is asking to sign the user in, so the request is about an identifier.
Allen
David Recordon wrote:
Does it make more sense to use a PAPE policy requesting a pseudonymous
identifier or an AX attribute requesting one? Any of these approaches
would work, I just don't think we've mapped out the pros/cons of each.
--David
On May 13, 2009, at 8:44 AM, George Fletcher wrote:
I don't think OpenID should specify how pseudonymous identifiers are
generated. That should be up to the OP. But I like the idea of using
a fixed URI as the claimed_id value to specify the behavior desired
by the RP. If, however, we need to grow this to cover anonymous based
identifiers (i.e. the claims based models from earlier in this
thread) then it might make sense to look at a PAPE extension that
covers the type of identifier requested.
Thanks,
George
Nat Sakimura wrote:
Sorry for a slow response. This week is especially busy for me...
I borrowed the notion from Austrian Citizen ID system.
In there, the services are divided into "sectors."
A sector may span several agencies.
They call ID as PIN (Personal Identification Number).
There is a secret PIN (sPIN) which is not used anywhere but in their
SmartCard.
Then, sector sepcific PIN (ssPIN) is calculated in the manner of :
SHA1(sPIN + SectorID)
(Note, there is a bit more details but...)
I have thrown OP secret into it.
To avoid the analytic attack, I agree that it is better to use
individual secret, as some of you
points out.
Regards,
=nat
On Tue, May 12, 2009 at 5:55 PM, Dick Hardt <dick.ha...@gmail.com>
wrote:
On 12-May-09, at 1:36 AM, Nat Sakimura wrote:
Reason for using RP's Subject in XRD instead of simply using realm is
to allow for something like group identifier.
would you elaborate on the group identifier concept?
This is just one idea. Downside of this approach
is that we need to set up a WG.
I am sure there are more ideas. It might be possible to utilize AX
so that it will only be a profile that does not require a WG.
So shall we start discussing which direction we want to go forward?
sure!
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs